Schrems II: How to Protect Against Liability When Using Non-EEA / Equivalency Country Vendors

98% of the participants in an Anonos Schrems II webinar held on 13 January, involving 2000+ executives representing 1700+ companies from 50+ countries, expressed concern about the risks associated with cloud-based processing of cleartext EU data and remote access to EU data for business purposes. In follow-up meetings and discussions with representatives from hundreds of companies, grave concerns have been raised regarding the risk of personal and criminal liability for corporate officers and Boards of Directors for ongoing use of non-EEA Cloud, SaaS and outsourcing solutions.

The significant publicity regarding the potential negative impacts of Schrems II means that a lack of corporate action in response may constitute “wilful blindness to a course of action” or “reckless conduct by knowing of the risk but doing nothing.”[i] In addition, auditors have an obligation to report data protection violations to authorities under the International Ethics Standards Board for Accountants (IESBA), and Non-compliance with Laws and Regulations (NOCLAR).[ii]

When dealing with non-EEA/equivalency country vendors claiming that their services occur entirely within the EU, removing them from the realm of Schrems II issues, corporate officers and Boards of Directors are still be open to risks. This is because while the data may appear to be accessed and processed solely only within the EU, vendors often retain access to the data or to keys or other methods for accessing the data for purposes of performing services or other contractual obligations.

The ability of non-EEA/equivalency country vendors to access EU personal data raise the following two Unlawful Use Cases identified by the EDPB below:[iii]

• Unlawful Use Case 6: Transfer to cloud services providers or other processors which require access to data in the clear.
• Unlawful Use Case 7: Remote access to data for business purposes.

The existence of Unlawful Use Cases 6 and 7 mean that common vendor practices leave corporate officers and Boards of Directors open to liability risks from the potential for unlawful data access.

It is also important to note that the CJEU did not include any grace period for the Schrems II decision, meaning that compliance is immediately required. Industry direction may come at a later date, but measures are necessary immediately to ensure risks are mitigated.

To mitigate these risks, Anonos recommends that companies request that the following guarantees be included in contracts with vendors claiming that their services occur entirely within the EU.

Proposed Third-Party Guarantees:

• [Insert Third-Party Vendor Name] guarantees that when using our [software/services], no data is processed, or could be processed, in the memory of our systems or otherwise so that the data is accessible in the clear at any time by us, or through us to authorities in any non-EEA / equivalency country, with respect to which we are under an obligation to share, provide or disclose the data.
• [Insert Third-Party Vendor Name] guarantees that when using our [software/services], we retain no keys, copies of keys, or any other access mechanism (e.g., “break the glass” access in emergency, non-payment or other situations) to provide us with the ability to view or otherwise access your data in the clear at any time.
• [Insert Third-Party Vendor Name] guarantees that our [software/services] protect not only direct identifiers but also indirect identifiers that in combination could reveal the identity of data subjects.

If vendors are unwilling to provide such guarantees, an alternative solution is to transform Unlawful EDPB Use Case 6 and 7 scenarios into lawful processing by Pseudonymising the data before providing for processing by non-EEA providers to satisfy the requirements for Lawful EDPB Use Case 2: Transfer of GDPR Pseudonymised data.[iv]

If organisations are unable to give you these guarantees, or refuse to do so, you must move your data processing and transfers into Use Case 2 to protect the data when in use, or stop data transfers. If you elect not to take this course of action, your decision (and the reasons underlying your decision) should be carefully documented for your records.

To learn more, see the following resources to help organisations comply with Schrems II:

• Top 8 Misconceptions
• Legal Solutions Guidebook
• Implementation Workshop Replay
• Executive Briefing Portal
• Linkedin Group (Over 4200 members)
• IDC Report: Anonos - Embedding Privacy and Trust Into Data Analytics Through Pseudonymisation
• Schrems II Blog
• Anonos Supplementary Measures

Read 8 misconceptions at SchremsII.com/8misconceptions

Download Legal Solutions Guidebook at: SchremsII.com/Guidebook

#brexit #adequacy #transfers #Pseudonymisation #EU #privacyshield #privacy #scc #bcr #schremsII #schrems2 #gdpr #edpb #edps #dataprotection #lawfulborderlessdata #supplementarymeasures #edpbguidance #additionalsafeguards #sccs

[i]See https://normcyber.com/advisory-note/data-protection-directors-personal-liability/ and https://www.financierworldwide.com/roundtable-risks-facing-directors-officers-aug17

[ii]See https://www.ifac.org/system/files/publications/files/IESBA-NOCLAR-Fact-Sheet.pdf

[iii]https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf, at paragraphs 88 - 91.

[iv]https://edpb.europa.eu/sites/edpb/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf, at paragraph 80.

This article originally appeared in LinkedIn. All trademarks are the property of their respective owners. All rights reserved by the respective owners.